In their continued effort to improve the security of on-premise Exchange Servers, Microsoft released another security update for all current Exchange Server versions in August 2022.
In addition to this update, Microsoft highly recommends administrators to enable the so called Windows Extended Protection (WEP) on their Exchange Servers. The extended protection “enhances the existing Windows authentication functionality in order to mitigate authentication relay or “man in the middle” attacks.” However, enabling WEP is tied to quite a lot of prerequisites, and understanding them can be a difficult and time consuming task.
In order to help you quickly determining if you are ready for WEP, we developed the following questionnaire to help you identifying, and possibly solving any problems that may prevent you from enabling it right away.
Questionnaire
Following you will find some questions about your Exchange environment. If you answer any of these questions with yes, you should NOT enable the Windows Extended Protection. By clicking on each question, you will find additional information and get further advice about how to meet the prerequisites.
Are there any Exchange Server 2013 servers running in my environment, that host public folder mailboxes, either by itself or in coexistence with Exchange 2016 or 2019?
If you have any Exchange 2013 Servers that are hosting public folder mailboxes, public folders will no longer be accessible after enabling WEP. If you are running in coexistence with Exchange 2016 or 2019 servers, you must migrate your public folders to the newer environment, before you enable WEP.
Is there any Exchange Server 2016 with CU 22 running in my environment, that hosts public folder hierarchies?
If you have any Exchange 2016 servers that are still running on CU 22 and are hosting your public folder hierarchy, you should consider upgrading to CU 23 (or newer). Otherwise, public folders will no longer be accessible. Another option would be, to move your hierarchy to a server that has already been upgraded to a newer CU.
Is there any Exchange Server 2019 with CU 11 running in my environment, that hosts public folder hierarchies?
If you have any Exchange 2019 servers that are still running on CU 11 and are hosting your public folder hierarchy, you should consider upgrading to CU 12 (or newer). Otherwise, public folders will no longer be accessible. Another option would be, to move your hierarchy to a server that has already been upgraded to a newer CU.
Are you using retention policies that automatically move mails to user’s archive mailboxes?
If you are using retention policies to move mails from your user’s mailboxes to their archive mailboxes, this functionality will be broken after enabling WEP. Microsoft said, that they will provide a fix for this in the near future.
Are you running a hybrid Exchange Server in “Modern Hybrid” mode?
If you are running an Exchange hybrid environment in “Modern Hybrid” mode, enabling WEP is not supported. Microsoft is giving some advice on how to safeguard environments running in Modern Hybrid mode here.
Are your Exchange Servers behind a load balancer that utilizes “SSL Offloading”?
Using SSL Offloading will cause WEP to fail and therefore is not supported.
Are your Exchange Servers behind a load balancer that utilizes “SSL Bridging”?
If you are using SSL Bridging between your load balancer and your Exchange Servers, you must make sure, that both, the load balancer and your Exchange Servers have the same SSL certificate installed. Otherwise, WEP will fail.
Are there inconsistencies with the TLS settings for your Exchange Servers, or are there any Exchange Servers running, that do not yet explicitly use TLS 1.2?
If you are not consistently using TLS 1.2 across all of your Exchange Servers, or if you are not sure, you should follow this guide on how to make the registry settings needed for TLS 1.2.
Are you using any third-party software that may not be compatible with WEP?
If you do or if you are not sure, you should definitely ask the developer of your third-party software, if it will work with WEP. Note that enabling WEP will mostly affect applications connecting to your Exchange Servers using its web services. Software that as an example is running as a transport agent will not be affected.
Conclusion
Enabling WEP on your Exchange Servers is bound to quite a few prerequisites. But the benefits in terms of security are enormous, and the changes that you may need to implement are well worth the effort.
If you want to find out more about the topic, check our the links below, as they contain lots of well maintained information about everything related to the August 2022 security update and WEP.